The Internet is a publicly available internationally interconnected system of computers (and the information and services provided to users) that uses the IP suite of packet switching communications protocol. In addition to the beneficial communications, the traffic on the Internet includes an enormous amount of potentially deleterious communications.
One form of such deleterious communication involves computer viruses and worms. Computer viruses and worms are programs that make copies of themselves and spread by attaching themselves to a host, often damaging the host in the process. The host may be another computer program, such as an operating system, which then may infect the applications transferred to other computers. Viruses take advantage of standard network protocols such as the World Wide Web, e-mail, and file sharing systems to spread. Notable computer viruses and related worms include the Sasser worm, the MyDoom, the Sobig worm, the Blaster worm, the SQL Slammer worm, the Klez worm, the Code Red worm, the Sircam worm, the VBS/Loveletter worm, and the Melissa worm.
Other deleterious communications involve the use of packets. A packet is the fundamental unit of information carriage in all modern computer networks. Packets can be used to mount denial of service attacks (also identified herein with the acronym “DoS”) or distributed denial of service attacks (also identified herein with the acronym “DDoS”), and distributed reflected denial of service attacks (also identified herein with the acronym “DRDoS”). For purposes of this invention, the term DoS attacks will commonly refer also to DDoS and DRDoS attacks.
A DoS attack is an attack on a computer system or networking involving the misuse of packets that causes a loss of service to users (e.g., loss of network connectivity) but not to gain access to the systems. DoS attacks can be perpetrated in a number of ways, such as: (1) consumption of computational resources, such as bandwidth, disk space or central processing unit (CPU) time; (2) disruption of configuration information, such as routing information; and (3) disruption of physical network components.
A DDoS attack is a more advanced and more dangerous form of Dos flooding attack. A DDoS attack doesn't use a single source to attack a target, but instead multiple synchronized launch sites. In a distributed attack, the attacking computer hosts are often personal computers with broadband connections to the Internet. A single master program is installed on one system while agent programs are installed on other computers, thereby turning them later into what are termed “slaves” or “zombies”. The master program machine—termed also the “Zombie Master”—then is used to instruct the agent programs—in “zombie” machines—to launch simultaneous DoS attacks against a target or targets. The resultant attack is massive and anonymous since many slave computers are used and without their owner's knowledge. The initial instigator cannot clearly be traced. This is the organization used by many distributed attack tools—such as the windows-hosted “Evil bots” and the “Evil goat Evil bot”. With numerous slave hosts, the services of even the largest and most well-connected websites can be denied. Many worms such as Code Red effectively launch a DDoS attack. All DDoS attacks employ the standard suite of communications protocols used to connect hosts on the Internet, termed Internet Protocol (“IP”) messages, but employ them in non-standard ways.
More specifically, DDoS attacks involve bombarding a web server with a flood of fake requests to prevent legitimate requests from reaching a location and may crash the server. The attack is coordinated with various other hacked computers making it difficult to identify and block the source of the attack. First, an intruder finds one or more systems on the Internet that can be compromised and exploited, typically with a high-bandwidth connection to the Internet. Second, the compromised system is loaded with hacking and cracking tools such as scanners, exploit tools, root kits, and DDoS programs. This system becomes the master which finds a number of other systems that can be compromised and exploited. The attacker scans large ranges of IP network addresses to find systems running services known to have security vulnerabilities. Automated tools remotely compromise a number of hosts and install the DDoS agents on those systems. The actual DDoS attack occurs when the attacker runs a program at the master system that communicates with all hosts.
A DRDOS attack is a more advanced malicious packet flood attack. In the case of a DRDoS attack, the compromised hosts send their flood traffic to a third party, which unwittingly sends a reply to the forged source/target of the flood. This added stop is used to further obfuscate the true location of the compromised hosts, and in some cases, to multiply the effective attack bandwidth. In other words, a malicious hacker located on the Internet floods Internet routers with connection-requesting packets. The requesting packets carry the fraudulent (spoofed) source protocol. Therefore, the routers believe that the packets are coming from a reliable source, and they reply.
One solution that has been offered to defend against distributed denial of service attacks involves the use of “client puzzles”, and, in particular, “application layer puzzles”. Client puzzles are generated by the server and solved by the client. For purposes of this application, the terms “client puzzle” and “proof-of-work” (“PoW”) challenge are used interchangeably herein.
To understand the current defense strategy provided by the application layer use of client puzzles, one must understand the Opens Systems Interconnect (“OSI”) model of network architecture. The OSI architecture is split between seven layers (from highest to lowest): 1. physical layer; 2. data link layer; 3. network layer; 4. transport layer; 5. session layer; 6. presentation layer; and 7. applications layer. Each layer uses the layer immediately below it and renders services to the layer above. Of particular relevance to the present invention are the network layer, the transport layer, and the application layer.
As stated, the network layer is the third lowest layer in the OSI seven layer model. At that level, the routing of packets of data from a sender to a receiver via the data link layer is determined. The most common network layer protocol is the “Internet Protocol” or “IP”. This is the only protocol that is common across all forms of Internet communication.
The transport layer is in the middle layer of the OSI seven layer model. It is at this layer that it is determined how the network layer may be used to facilitate the provision of an error-free, point-to-point connection so that one host can send messages to another host without corruption and in correct order. The transport layer establishes and dissolves connections between hosts. One example of a transport layer protocol is the Transmittal Control Protocol (“TCP”).
The application layer is the top layer of the OSI seven layer model. At this layer, issues such as network transparency, resource allocation, and problem partitioning are handled. One example of an application layer protocol is the Hyper-Text Transport Protocol (“HTTP”). Currently, CAPTCHAs (“Completely Automated Public Turing test to tell Computers and Humans Apart”) exist as a type of proof-of-work challenge on the application layer. CAPTCHAs are used in computing to determine that the user is not run by a computer. CAPTCHAs are used to prevent automated software from performing actions which degrade the quality of service of a given system. The process involves one computer, such as a server, asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. A common type of CAPTCHA requires that the user visually verify by typing the letters of a distorted image, sometimes with the addition of an obscured sequence of letters or digits that appears on the screen. Since a CAPTCHA is administered by a machine and targeted to a human user, problems arise when a user finds it hard to read the characters of the CAPTCHA or the user has a disability such as blind, low vision, or a learning disability such as dyslexia.
Although current client puzzles on the application layer do not require changes to any protocols, installation of software is required on the client or server. Wide-scale adoption of this software in order to operate properly is problematic—clients that fail to have the software installed are denied access to resources.
Under normal conditions, a server accepts any connection request from any client. To effect a client puzzle defense, a server or network that is to be protected generates and sends to a client that is requesting connection a cryptographic puzzle that the client must answer correctly before it is given service. The server allocates the resources necessary to support a connection only to those clients that respond correctly to the puzzle within a predetermined time period. While the non-attacking client will experience only a slight delay in obtaining a connection during an attack, the attacker—given the high volume of connection requests generated by it—will require an incredible amount of processing power to sustain the number of requests necessary for a noticeable interruption in service, thereby thwarting the attack. The client puzzle defense, however, has only been used as an application and transport layer defense against attacks. Placing a defense at such layers does not always provide a robust defense.
Therefore, a need exists for a robust defense against all types of denial of service attacks across all forms of Internet communication that is backwards compatible. The present invention satisfies the demand by placing a puzzle defense system within the network layer or within the application layer to protect all network applications or all web applications, respectively, from DoS attacks.